By Ryan Lovelace The Washington Times Friday, February 21, 2025
A new analysis exposing the National Security Agency’s alleged hack of a Chinese university sent shock waves through the cybersecurity community this week, with granular details of the communist country’s investigative findings spilling out into the open.
The Australia-based researcher Lina Lau, who uses the pseudonym @inversecos online, published a detailed breakdown of China’s work to hunt the NSA hackers that Beijing believes penetrated Northwestern Polytechnical University, located in the city of Xi’an.
Asked about the accuracy of Ms. Lau’s work, an NSA senior official offered a lengthy statement that criticized China’s cyber operations — but contained no denial that the U.S. agency had hacked the university.
“NSA is unwavering in its commitment to equipping network defenders with timely, actionable guidance to safeguard critical infrastructure against the growing and evolving landscape of cyber threats,” the official said. “We recognize the importance of maintaining a strong defense posture, and we remain dedicated to strengthening the security of our digital networks and those of America’s defense industrial base.”
The official called attention to the NSA and other foreign and domestic cyber agencies publishing reports on China’s hacking operations, contending that China’s “aim is to gain access to our critical networks to sow disruption and chaos.”
“The intelligence we gather remains essential for understanding adversarial tactics, assessing vulnerabilities and providing the critical insights necessary to protect our networks from malicious actors,” the official said. “It is imperative that we stay committed to providing the most up-to-date guidance and actionable intelligence to those defending our networks with the resolve to protect national security and defend our nation.”
Ms. Lau’s analysis, published on Tuesday, provided new details on how China’s cyber professionals identified the suspected Americans hacking inside their networks in 2022, according to intelligence reports from China’s Qihoo 360, Pangu Lab, and the National Computer Virus Emergency Response Center.
China studied the timing of the attacks, the hackers’ keyboard inputs, and the apparent human errors made by the hackers raiding China’s domestic infrastructure systems.
Ms. Lau wrote on her blog that the Chinese investigators traced the hack to an NSA employee engaged in Tailored Access Operations (TAO) using the pseudonym “Amanda Ramirez.”
Almost all of the observed hacking occurred between 9 a.m. and 4 p.m. Eastern time, Monday through Friday, with no attacks identified on Christmas, Memorial Day or Independence Day, according to Ms. Lau.
The Chinese incident responders also discovered the attackers used American English and American keyboards.
“Due to the length and scale of the incident, when one of the alleged NSA ’attackers’ tried to upload and run a Pyscript tool, they forgot to modify the parameters,” Ms. Lau wrote on her blog. “This returned an error — the error message exposed the working directory and file name of the attacker’s internet terminal.”
Ms. Lau said the returned error revealed that the hackers were using a system containing the “special name of the TAO network attack tool directory.”
In a section revealing the NSA’s purported tactics, techniques and procedures, Ms. Lau said initial access to the Chinese university came via an attack platform first publicly revealed by former NSA contractor Edward Snowden. Mr. Snowden fled the U.S. in 2013 after leaking a trove of confidential government documents about foreign and domestic surveillance and now lives in Russia.
Ms. Lau said the university was a valuable target for the U.S. hackers owing to its status as a “leading institution specializing in aerospace and defense.”
“Once inside, NSA operatives allegedly systematically stole classified research data, network infrastructure details and sensitive operational documents,” Ms. Lau said.
While she focused on alleged hacking aimed at the university beginning in 2022, the Australian researcher said on X that it was clear the cyberattacks on the university began far earlier.
She did not comment on whether she viewed China’s allegations of the NSA’s hacking as legitimate, and the agency has dodged questions about accusations that it had hacked the university for years.
While such information about suspected American hacking is sparse, the U.S. government’s cyber agencies and Western tech companies routinely publish details on China-linked cyberattackers.
For example, U.S. cybersecurity professionals have accused China’s Typhoon hacking groups of infiltrating American infrastructure and telecom systems for espionage and sabotage.
